The Personal Blog of a Geek in Arizona

Menu

Search

On Passwords

So you might have heard about the LinkedIn password hack the other day. Maybe you’ve changed your password, anywhere that your LinkedIn password was used! Good. Us admins still have to worry, though. Here’s why:

The vast, vast majority of passwords especially for social media will be 6-8 characters. If you read the news, you’ll see them claiming 60% of the 6 million passwords dumped have been cracked already, just a few days later. What does that mean for our security and choosing good passwords?

Well, by comparison, I would guess that any 9-character password that’s been cracked at this point is likely using common English words with low complexity. Why would I make a distinction between 8-character and 9-character passwords?

Because of the math. Assuming everyone had a totally-random password of uppercase, lowercase, and a number, being cracked at a pretty-normal rate of 1.4 million guesses per second, you get:
6 chars: 11 hours max
7 chars: 29 days max
8 chars: 4.9 years max
9 chars: 306 years max
10 chars: 19,000 years max

Divide that in half for your mean time before cracking, and subtract about 90% for how un-random most people’s passwords are, and you’ve got a pitiful 90 days for 8-char but a still-respectable 15 years for 9 character.

This is why I make a fuss about things that seem minor.

So, how many people out there do you think use the same LinkedIn password as they do for their work? And, how many LinkedIn users list their employment status on their LinkedIn profile? That’s why us admins still have to worry.

What should you do?

First, choose longer passwords. Adding a single character stacks the math significantly in your favor. I suggest passphrases, where you type a bunch of nonsense words with spaces and a few symbols. “Blimen 5 Habernash?” is way easier to type than “Blimen5?” and is way more secure.

Second, don’t mix password “tiers.” I suggest having one password for work, one for finances, one for social media, and one for things you don’t care about. The worst thing you could do is have the same password on Facebook as you do for work.